The Hacker News — Cyber Security, Hacking, Technology News

Another day, another data breach. This time a fast-fashion retailer has fallen victim to payment card breach.

American clothes retailer Forever 21 announced on Tuesday that the company had suffered a security breach that allowed unknown hackers to gain unauthorized access to data from payment cards used at a number of its retail locations.

The Los Angeles based company, which operates over 815 stores in 57 countries, didn't say which of its stores were affected, but it did note that customers who shopped between March and October this year may be affected.

Forever 21 learned of the breach after the retailer received a report from a third-party monitoring service, suggesting there may have been "unauthorized access to data from payment cards that were used at certain FOREVER 21 stores."

Besides this, the company also revealed that it implemented encryption and token-based authentication systems in 2015 that are intended to protect transaction data on its point-of-sale (PoS) machines in its stores.

However, due to dysfunctional of the security layers on certain PoS devices, hackers were able to gain unauthorized access to data from payment cards at some Forever 21 stores, the company admitted.

Since the investigation of its payment card systems is still ongoing, complete findings of the incident, including the number of customers potentially affected, are not available at the moment.

"Forever 21 immediately began an investigation of its payment card systems and engaged a leading security and forensics firm to assist," the US clothing retailer said while announcing the data breach.

"We regret that this incident occurred and apologize for any inconvenience. We will continue to work to address this matter."

Meanwhile, customers who shopped at Forever 21 are advised to monitor their payment card statements carefully, and immediately notify their banks that issued the card for any unauthorized charge.

In an era where major data hacks are on the rise, it is no surprise breaches on individuals are also up.

In just three hours, over 100 criminals managed to steal ¥1.4 Billion (approx. US$12.7 Million) from around 1,400 ATMs placed in small convenience stores across Japan.

The heist took place on May 15, between 5:00 am and 8:00 am, and looked like a coordinated attack by an international crime network.

The crooks operated around 1,400 convenience store ATMs from where the cash was withdrawn simultaneously in 16 prefectures around Japan, including Tokyo, Osaka, Fukuoka, Kanagawa, Aichi, Nagasaki, Hyogo, Chiba and Nigata, The Mainichi reports.

Many ATM incidents involve a long-established technique called 'ATM Skimming' in which criminals install devices to obtain card details via its magnetic stripe, or use ATM malware or from data breaches, and then work with so-called carders and money mules to pilfer cash at ATMs or make online purchases.

In this particular case as well, the heist was carried out using cloned credit cards that contained bank account details obtained from Standard Bank in South Africa.

The criminal gang of around 100 people believed to have withdrawn 100,000 yen (nearly US$900) – the maximum amount allowed by cash machines – from each of the 14,000 ATMs.

No one has yet been arrested in connection with the heist. However, Japanese police are currently trying to identify the suspects by examining CCTV footage and are working with South African authorities to investigate how the information on credit cards was leaked.

This incident shows a sophisticated move by a group of criminals who stole the critical card data, but rather than using it immediately, it kept the data safe and used effectively when least suspected.

So, be cautious when you use any ATM and always look carefully at the teller machine before using it. If you found the machine tampered or its card slot looks damaged or scratched, DO NOT use the ATM.

Starting Thursday, Merchants must have new Payment Terminals installed to accept Chip Cards in their stores or restaurants. Otherwise, they will be responsible for credit card frauds.

Stephanie Ericksen, Visa's Vice President Risk Products said, "That's the date by which if a merchant doesn't have a chip terminal, and a counterfeit card is used at that location, they may be liable for that fraud on that transaction.''

60% Customers Still have Old Credit Cards

However, If you have not received a new credit card with chip technology, don't worry, you are not alone.

According to latest stats revealed by MasterCard, 60% customers still have Old Credit Cards based on Magnetic Stripe Technology, and it could take next 2-3 years to transform the whole payment system.

“The number of chip cards in the U.S. from these issuers will grow to 60 percent by the end of this year, expanding to 98 percent by the end of 2017,” MasterCard said.

In the wake of numerous high-profile Data breaches, including Target, Neiman Marcus or The Home Depot, and increasing rates of Credit Card Fraud, the Payment Card distributors are migrating to this new technology to reduce the costs of Frauds.

Traditional Magnetic Stripe cards transmit your account number and secret PIN to merchants, which could be easily hacked by fraudsters and cyber criminals.

Whereas, In case of Chip-n-PIN EMV Card, Embedded microchip stores your data in encrypted form and only transmits a unique code (one-time-use Token) for every transaction, making it difficult for cyber criminals to use the card for counterfeit fraud.

Thus, the need to bring the Chip-n-PIN technology as soon as possible was intended. To elaborate more on Chip and PIN Smart Payment Cards, they are capable of:

Eliminating the Card swipe method by enabling “Card Dipping”- putting the card into a terminal slot and waiting for it to sense and process.

Also, if these EMV cards get stolen, the information on the chip gained by an attacker will be of no use because the stolen transaction number created in that instance is unique and cannot be reused and after “dipping” it will deny the card.

This New Payment Card can be called by various names, such as:

Smart card

Chip card

Smart-chip card

Chip-enabled smart card

Chip-and-choice card (PIN or signature)

EMV smart card

EMV card

Chip and Dip card

Is Chip and Pin Technology Safe Enough?

Well, all anti-cloning theories are already proven wrong by security researchers and hackers.

Check out some previous articles posted on The Hacker News about hacking Chip-and-Pin cards :

Also, for online usage, neither a PIN nor a Signature is required, so just stealing credit card numbers is sufficient to use them for Fraud.

Future of Payment Cards

Moreover, as a solution, mobile payment and digital wallet services like Apple Pay and Google Wallet can be promoted by adopting more robust security mechanism and protocols; and making monetary transactions more safe and easy.

Another solution could be considered as the use of multiple factor authentication methods like Biometrics.

Also, you can take a sneak peak into this Video, where Jerry Irvine, member of the U.S. Chamber of Commerce Cyber Security Leadership Council and CIO of Chicago-based Prescient Solutions, in an interview with Slashdot Media discusses the new technology and its principles that promise safe payment practices.

800 Million US based Credit and Debit cards compromised! Really it’s a big number and till now it has not been sized by the cyber security officials but a hacker group claims that they had stolen data on hundreds of millions of U.S. card accounts.

Last week, the hacker group called itself Anonymous Ukraine (Op_Ukraine), said it has seized information pertained to 800 million U.S. credit and debit card accounts, including the cards’ data belong to U.S. President Obama and other political figures. The group says the intention behind this data theft is to harm the U.S. economy.

The messages posted on March 24 shows clearly that they were by anti-American. The first message read, "After the USA showed its true face when she unilaterally decides which of the peoples to live independently and who under the yoke of the Federal Reserve, we decided to show the world who is behind the future collapse of the American banking system. We own all the financial information of the Fed. And even more than you think."

The post was linked with four text files including the data sets of seven million card account that were from all the four card brands, Visa, MasterCard, Discover and American Express. On this, the four card companies didn’t comment until now, AmericanBanker.com reported.

On March 26, Anonymous Ukraine tweeted that it had released account details for five million more credit cards, and the very next day, it posted the details of 20 million more card accounts. Investigators working for Battelle counted a total of 10.2 million card accounts details in these batches.

"It's really important to keep an eye on your enemy, find out what they're interested in, what their motivation is, what their capabilities are. You have to have somebody out there watching the adversarial groups, watching inside these forums where they gather, and discuss and trade research back and forth, and discover where they're going next before they get there."

The financial data breach has been investigated by two companies, the security provider Risk Based Security and the world’s largest nonprofit research and development organization, Battelle. The companies reported that the records produced as evidence of the breach by the group are incomplete, out of date or are fraudulent.

The investigators were also unable to verify the 800 million accounts that the group claimed to have compromised, including those of the VIPs and political figures.

Till now, the data threat doesn't appear to be as serious as the Target breach that occurred during the last Christmas holidays in which hackers were successfully able to obtain 40 million valid current credit cards’ details.

But, yet the claims and any further releases of information by the hacker group is need to be revised and investigated, because these kind of claims serve as a reminder for the financial firms of the constant vigilance and collaboration.